ClawHub

cybersecured-agent-risk-advisory

Security checks across malware telemetry and agentic risk

Overview

The skill matches its risk-advisory purpose, but it directs broad collection and upload of sensitive local agent evidence with insufficient user control.

Review this skill carefully before installing. It may be appropriate only if you intentionally want a third-party risk service to receive detailed agent security posture and incident evidence. Before using claim evidence collection, confirm exactly what the CLI will upload, avoid sending unrelated sessions or logs, redact secrets, and do not use --no-verify-ssl with real credentials or sensitive evidence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The incident workflow instructs the skill to automatically collect and upload broad forensic data, including configuration, skills/plugins inventory, assessments, sessions, and logs. For an insurance/risk-advisory skill, this is excessive by default and can expose unrelated secrets, personal data, and proprietary context far beyond what is necessary to file a claim.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Automatically collecting the most recent session records can capture highly sensitive natural-language data such as credentials, internal instructions, personal information, customer content, or unrelated conversations. This is especially dangerous because the skill frames it as part of a claims workflow, so users may not reasonably expect broad transcript exfiltration.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Collecting and uploading seven days of logs by default can expose tokens, API keys, system paths, user identifiers, prompts, and unrelated operational activity. In the context of a claims-assistance skill, that scope is broader than necessary and increases the blast radius of any backend compromise or misuse.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The document instructs the agent to collect extensive host and environment details including software versions, workspace paths, config file paths, network boundary, authentication, audit logging, and deployment information. For a user-facing insurance/service application workflow, this materially expands data collection beyond what is clearly necessary and creates a high-value reconnaissance bundle that could aid follow-on attacks or expose sensitive local environment details.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The asset collection section asks the agent to inventory credential types, sensitive data categories, and infrastructure access such as databases and servers. Even without requesting secret values, this produces a targeted asset map useful for attackers and is not clearly disclosed in the stated manifest purpose of insurance/service handling, making it an unnecessary exposure of security-sensitive metadata.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The instructions direct the agent to discover likely main configuration file paths if they are not already known. Enumerating configuration locations can reveal sensitive filesystem structure and point directly to files likely containing secrets or security-relevant settings, increasing reconnaissance capability beyond what is obviously required for the declared workflow.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill directs automatic evidence collection and upload of sensitive local artifacts without a prominent privacy warning, data minimization statement, or clear disclosure of sensitivity. Because the workflow includes sessions and logs, the absence of strong warning and consent language materially increases the risk of unexpected data disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to bypass TLS certificate verification with --no-verify-ssl for self-signed test environments, but does not give a strong warning that this enables man-in-the-middle attacks and undermines transport authenticity. Even in test contexts, normalizing insecure transport patterns can lead to credential or data exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs the agent to inspect environment variables, local files, and cloud metadata endpoints to infer deployment details, but does not constrain collection to non-sensitive signals or forbid retrieval of secrets. In an agent setting, this can trigger access to highly sensitive runtime data and network endpoints, turning a questionnaire task into unnecessary secret discovery and potential exfiltration via the generated reasoning.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill asks for sensitive system and environment data but does not pair that request with a prominent privacy warning, purpose limitation, or consent language. This can lead users to disclose operationally sensitive information without understanding the exposure, especially because the workflow is framed as a service configuration step rather than a deep environment audit.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The asset inventory section requests information about credentials, sensitive data, and infrastructure access without a prominent warning about the sensitivity of that metadata. Users may reasonably assume that omitting secret values makes the request safe, but even service names and asset categories can significantly improve an attacker's understanding of the environment.

Ssd 3

High
Confidence
97% confidence
Finding
The workflow explicitly calls for collection of session records and logs, which are common carriers of secrets, personal data, and confidential business content. Sending these artifacts to a backend as part of a general claim process creates a direct sensitive-data disclosure risk, especially if collection is automatic and broad in scope.

Ssd 3

Medium
Confidence
83% confidence
Finding
The questionnaire instructions require the agent to reason over its runtime environment and submit locally collected security information, which can lead to over-sharing of environment details, configurations, and inferred sensitive metadata. In a risk-assessment context some collection is expected, but the documentation does not sufficiently constrain scope or require minimization.

Ssd 3

Medium
Confidence
97% confidence
Finding
The document requires the agent to provide full reasoning evidence about its environment and security posture for each answer. That pattern is dangerous because natural-language justifications often include sensitive operational details that are not needed for the business purpose, creating an easy path for infrastructure disclosure and accidental leakage of internal security controls.

Ssd 3

Medium
Confidence
96% confidence
Finding
This section specifically encourages inclusion of environment variables, cloud metadata checks, and local filesystem characteristics in the response. Those artifacts can reveal credentials, account identifiers, host layout, cloud provider details, and other reconnaissance data that materially lowers the barrier for follow-on attacks.

Ssd 3

Medium
Confidence
98% confidence
Finding
The example reasoning explicitly normalizes echoing instance metadata results and the presence of cloud access key indicators in output. Even if the example does not print the secret itself, teaching the agent to surface credential-related signals and metadata-derived infrastructure details is highly dangerous because users may adapt the pattern to disclose actual values or enough context for targeted compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal